Ben Watson | SOC Analyst | 7 January 2025
Welcome to Fortian's December 2024 Monthly Cybersecurity Update.
Happy new year to our readers and customers! The cybersecurity threat landscape was red-hot in December 2024. Critical infrastructure remained a prime target and geopolitical tensions between the U.S. and China escalated further, with accusations of state-sponsored cyberattacks exchanged between the two nations. Meanwhile, Australia witnessed significant legislative milestones in privacy and cybersecurity, alongside notable cyber incidents affecting local organisations and industries.
U.S. Treasury Breach via BeyondTrust
Chinese state-sponsored hackers reportedly breached the U.S. Treasury Department by exploiting a stolen Remote Support SaaS API key from BeyondTrust, a third-party software provider. This allowed attackers to access workstations in sensitive offices that oversee economic sanctions, one of the U.S.’s most critical national security tools (Washington Post).
Salt Typhoon’s Telecommunications Breach
Salt Typhoon, a Chinese hacking group, targeted nine U.S. telecommunications providers over 18 months, compromising metadata for over one million Americans, including high-profile political figures such as Donald Trump and J.D. Vance. While the attack was first reported in October 2024, details continued to emerge in December.
The group exploited vulnerabilities in outdated Cisco routers, Fortinet security products, and potentially used zero-day exploits to gain access. Attackers utilised "living off the land" techniques, repurposing legitimate tools for lateral movement, privilege escalation, and backdoor creation. They also deployed custom malware, encrypted communications, and exploited interconnectivity between telecom providers to expand their access (The Record; Reuters; Cybersecurity Dive).
Reconnaissance efforts focused on critical infrastructure, such as signal-switching systems and surveillance platforms, while attackers exfiltrated sensitive data, including call metadata and surveillance records.
These attacks prompted a U.S. government response, with proposed regulations for telecom providers to adopt risk management frameworks, annual compliance certifications, and enhanced network security guidelines (TechBlog).
WACER and Fresh Produce Safety Centre Australia & New Zealand
The Funksec ransomware group allegedly targeted two Australian organisations in December: WACER, a West Australian cleaning supplier, and the Fresh Produce Safety Centre Australia & New Zealand, a University of Sydney-affiliated not-for-profit. Funksec claimed to have stolen data from both entities but released only minimal, non-sensitive information. The leaked data primarily consisted of publicly available material (VPNRanks).
Waverley Christian College
The Fog ransomware gang claimed responsibility for an attack on Waverley Christian College, located in Victoria. The group alleged they stole 5GB of sensitive data, including financial and insurance documents and internal communications. The college confirmed it was investigating the claims and had taken steps to secure its systems (CyberDaily).
Ainsworth Game Technology
Medusa, a high-profile ransomware group, claimed to have attacked Ainsworth Game Technology, a Sydney-based gaming machine manufacturer. The group reportedly exfiltrated 852.4GB of data, including confidential business information and personal employee records. Medusa demanded $1.2 million in ransom, threatening to release the stolen data if their demands were not met (VPNRanks).
Glenorchy City Council IT Breach
An IT service provider for Glenorchy City Council in Tasmania was apparently breached, prompting the isolation of affected systems while investigations continue. Early assessments suggested no evidence of compromised ratepayer information. External contractors and the affected vendor are supporting the council in its response (Pulse Tasmania).
Banking Trojans Targeting Australian Banks
A global malware campaign targeting mobile banking apps allegedly impacted 34 Australian banks. The attackers used fake recruitment campaigns to lure victims into downloading malicious Android CRM applications that installed the Antidot Banker malware. This malware is designed to steal banking credentials, posing a threat to financial institutions and their customers (MPA Magazine).
Finally, the ASD released a joint advisory to warn of China-backed threat actors targeting global telecommunication providers. The advisory is targeted towards network defenders and engineers and providers practical steps that can be taken to monitor and defend against the threat.
Amendments to the Privacy Act 1988 introduced criminal offences for maliciously releasing personal data (“doxxing”) and established a statutory tort for serious privacy breaches.
In Australia, all three Bills making up the government's cyber security legislative package became law. All three laws require rules to be made by the Cyber and Infrastructure Security Centre (CISC) to give effect to some key provisions of the legislation (CISC).
To assist businesses in preparing for compliance, the CISC has organised deep-dive sessions on the draft rules. Topics include:
We strongly encourage Australian organisations to participate in the deep-dive sessions.
The wave of cyber incidents in December highlights a number of key areas where Australian businesses should focus their security efforts:
Strengthen Third-Party Risk Management
Organisations should rigorously assess and monitor service providers to ensure compliance with best practice, such as those outlined in the ACSC’s Cyber Supply Chain Risk Management guidelines and the National Institute of Standards and Technology's (NIST) document "Key Practices in Cyber Supply Chain Risk Management"
Proactive Defence Measures
Organisations should prioritise timely patch management, advanced monitoring tools, and network segmentation to mitigate risks and limit the impact of potential breaches.
Compliance with New Legislation
Participation in CISC’s January / February 2025 deep-dive sessions is important for Australian organisations wanting to understanding their legal obligations and adopting measures to meet reporting and security requirements effectively. Find out more and register here.
Request a consultation with one of our security specialists today.
Get in touch